Reception terminal, key management apparatus, and key updating method for public key cryptosystem

ABSTRACT

A method for use in a distribution system having a key management center, a distribution station and a reception terminal. The method updates a pair of distribution keys unique to the reception terminal, the distribution public key being used to encrypt distribution data, and the distribution secret key to decrypt encrypted data. In the key updating method, the reception terminal acquires an update secret key prior to data distribution, the key management center acquires an update public key making a pair with update secret key, generates a new pair of distribution keys, encrypts new distribution secret key using update public key, transmits encrypted secret key to the reception terminal and updates to the new distribution public key. The reception terminal receives encrypted secret key and restores new distribution secret key by decrypting it using the update secret key and updates to the new distribution secret key.

BACKGROUND OF THE INVENTION

[0001] (1) Field of the Invention

[0002] The present invention relates to a method of updating a key foruse in a data distribution system adopting a public key cryptosystem.

[0003] (2) Description of the Related Art

[0004] So far, various cryptosystems have been developed to preventunauthorized use of digital contents that are protected by copyright. Insome. cryptosystems, encrypted digital contents are distributed tousers, and only authorized users have in advance a key for decryptingthe encrypted digital contents.

[0005] In the above cryptosystems, unauthorized use of digital contentsis prevented since only authorized users can decrypt the encrypteddigital contents.

[0006] The cryptosystems are roughly divided into secret keycryptosystems and public key cryptosystems. These cryptosystems aredescribed fully in “Modern Encryption Theory” written by Shin-ichi Ikeno& Kenji Koyama and published by the Institute of Electronics,Information and Communication Engineers (IEICE).

[0007] In the secret key cryptosystems, a distributor and the receiversown the same key in common secretly. The distributor encrypts digitalcontents using the common key, and the receivers decrypt the encrypteddigital contents using the common key. Generally, one distributor has aplurality of receivers. As a result, distributors have a load ofmanaging secretly as many keys as there are receivers.

[0008] In the public key cryptosystems, a distributor holds and usespublic keys to encrypt digital contents, and receivers hold and usesecret keys to decrypt the encrypted digital contents. In this system,the distributors have less load.

[0009] It is desirable for security reasons that the keys used forencryption and decryption are updated either regularly or on anas-needed basis.

[0010] To update a common key in a secret key cryptosystem, either thedistributor or a receiver must generate a new common key and secretlytransfer the key to the other. If the new common key is known to a thirdparty with a malicious intention, the encrypted digital contents may beused by the third party. Therefore, strict measures should be taken toprotect the key when it is transferred. As understood from this, thesecret key cryptosystem is not suitable for uses that require frequentupdating of keys.

[0011] To update a public key and a secret key in a public keycryptosystem, it is general that each receiver generates a pair of apublic key and a secret key and sends the public key to the distributor.The receiver holds the generated secret key without sending it to thedistributor. With this arrangement, the secret key is not known to athird party, and even if the public key is known to a third party, it isimpossible for the third party to decrypt the encrypted digital contentsusing only the public key. As understood from this, the public keycryptosystem is suitable for uses that require frequent updating of keyssince receivers can send public keys without taking security measures.

[0012] As described above, the public key cryptosystem is broadly usedin the systems for distributing copyright-protected digital contents orthe like since in the cryptosystem, the distributors need not managekeys secretly, and key update is relatively easy.

[0013] However, in the distribution systems using the public keycryptosystem, it is desirable from the viewpoint of comprehensivemanagement that the updating of the keys in pairs is performed by thedistributor, a key management center or the like rather than performedby separate receivers at different times. It is also desired that thekey pair updating is performed for all receivers at the same time toachieve an effective management of the public keys by the distributor,key management center or the like. However, it is difficult forconventional public key cryptosystems to achieve the above desiredoperations since in the conventional cryptosystems, each receiver takesthe initiative in updating keys in pairs.

SUMMARY OF THE INVENTION

[0014] The object of the present invention is therefore to provide amethod of updating pairs of keys conforming to a public key cryptosystemin a distribution system, the method enabling a distribution side and akey management center to take the initiative in updating the keys and toupdate a plurality of keys all at once.

[0015] The above object is fulfilled by a method, for use in a datadistribution system having a key management center, a distributionstation, and a reception terminal, for updating a pair of a distributionpublic key and a distribution secret key which conform to a public keycryptosystem and are both unique to the reception terminal, thedistribution public key being used to encrypt data to be distributed tothe reception terminal, the distribution secret key being used todecrypt the distributed encrypted data, the method comprising: an updatesecret key acquiring step in which the reception terminal acquires anupdate secret key prior to a data distribution; an update public keyacquiring step in which the key management center acquires an updatepublic key that makes a pair with the update secret key, prior to thedata distribution; a key generating step in which the key managementcenter generates a new pair of a distribution public key and adistribution secret key for the reception terminal; an encrypting stepin which the key management center generates an encrypted secret key byencrypting the new distribution secret key using the update public key;a transmission step in which the key management center transmits theencrypted secret key to the reception terminal; a distribution publickey updating step in which, after the transmission step, the keymanagement center updates the distribution public key having been usedso far by the distribution station in data distributions to the newdistribution public key; a reception step in which the receptionterminal receives the encrypted secret key; and a distribution secretkey updating step in which the reception terminal restores the newdistribution secret key as necessary by decrypting the encrypted secretkey using the update secret key, and updates the distribution secret keyhaving been used so far to the restored new distribution secret key.

[0016] With the above-described construction, the key management centergenerates the distribution public key and the distribution secret key,encrypts the distribution secret key using the update public key, andtransmits the encrypted secret key. This enables the key managementcenter to take the initiative in updating the pair of distribution keysassuring a safe distribution of the keys.

[0017] In the above key updating method, in the encrypting step, the keymanagement center may further place a digital signature on the encryptedsecret key as a certification of the encrypted secret key, and in thedistribution secret key updating step, the reception terminal checks thedigital signature placed on the encrypted secret key and judges whetherthe encrypted secret key has the certification, and updates to the newdistribution secret key if having judged positively and does not updateif having judged negatively.

[0018] With the above-described construction, it is possible to place adigital signature onto the encrypted secret key as a certification ofthe encrypted secret key. This prevents the distribution secret key frombeing updated erroneously.

[0019] In the above key updating method, the data distribution systemmay have a plurality of reception terminals, a plurality of pairs of adistribution public key and a distribution secret key are prepared forthe plurality of reception terminals, respectively and uniquely, eachdistribution public key is used to encrypt data to be distributed to acorresponding reception terminal, each distribution secret key is usedby a corresponding reception terminal to decrypt distributed encrypteddata, in the update secret key acquiring step, each reception terminalacquires a corresponding update secret key, in the update public keyacquiring step, the key management center acquires a plurality of updatepublic keys that make pairs with the plurality of update secret keys,respectively, in the key generating step, the key management centergenerates a plurality of new pairs of a distribution public key and adistribution secret key, each new pair being unique to a different oneof the plurality of reception terminals, in the encrypting step, the keymanagement center generates encrypted secret keys for the plurality ofreception terminals by encrypting the new distribution secret keys usingthe update public keys for the plurality of reception terminals,respectively, in the transmission step, the key management centertransmits the encrypted secret keys to the corresponding receptionterminals all at once, in the distribution public key updating step,after the transmission step, the key management center updates thedistribution public keys for the plurality of reception terminals havingbeen used so far by the distribution station in data distributions tothe new distribution public keys; in the reception step, each receptionterminal receives a corresponding encrypted secret key, and in thedistribution secret key updating step, each reception terminal restoresthe corresponding new distribution secret key as necessary by decryptingthe corresponding encrypted secret key using the corresponding updatesecret key, and updates the distribution secret key having been used sofar to the restored new distribution secret key.

[0020] With the above-described construction, it is possible to updatepairs of distribution keys all at once.

[0021] The above key updating method may further comprise: a terminaldetecting step in which the distribution station detects a receptionterminal for which data distribution should be stopped; and adistribution preventing step in which, when a reception terminal forwhich data distribution should be stopped is detected in the terminaldetecting step, the distribution station prevents data distribution tothe detected reception terminal.

[0022] With the above-described construction, the key management centercan take the initiative in preventing distribution of encrypted data topart of reception terminals.

[0023] The above key updating method may further comprise a terminaldetecting step in which the distribution station detects a receptionterminal for which a distribution secret key should be updated, whereinin the key generating step, the key management center generates a newpair of a distribution public key and a distribution secret key for thereception terminal detected in the terminal detecting step, in theencrypting step, the key management center generates an encrypted secretkey for the detected reception terminal by encrypting the newdistribution secret key generated for the detected reception terminal,using the update public key unique to the detected reception terminal,in the transmission step, the key management center transmits theencrypted secret key for the detected reception terminal to the detectedreception terminal, in the distribution public key updating step, afterthe transmission step, the key management center updates thedistribution public key having been used so far by the distributionstation in data distributions to the detected reception terminal, to thenew distribution public key, and in the distribution secret key updatingstep, the detected reception terminal restores the new distributionsecret key as necessary by decrypting the encrypted secret key using theupdate secret key, and updates the distribution secret key having beenused so far to the restored new distribution secret key.

[0024] With the above-described construction, the key management centercan take the initiative in updating the distribution secret key for partof the reception terminals.

[0025] In the above key updating method, the distribution station maygenerate encrypted contents keys respectively corresponding to theplurality of reception terminals by encrypting a contents key conformingto a secret key cryptosystem using the distribution public keysrespectively corresponding to the plurality of reception terminals,generates encrypted contents respectively corresponding to the pluralityof reception terminals by encrypting a content using the correspondingcontents keys, and distributes (a) all the generated encrypted contentskeys and (b) a corresponding encrypted content to each of the pluralityof reception terminals, wherein each reception terminal restores eachcontents key by decrypting each encrypted contents key among thedistributed encrypted contents keys using each distribution secret keyfor each reception terminal, and restores the content by decrypting eachcorresponding encrypted content using each restored contents key.

[0026] With the above-described construction, the distribution stationdistributes to each reception terminal (a) all the encrypted contentskeys for the reception terminals generated by encrypting the content keyusing the distribution secret keys for the reception terminals and (b)an encrypted content generated by encrypting a content using the contentkey. This reduces the total amount of distributed data, and reduces theload on each apparatus in decrypting the content.

[0027] In the above key updating method, the reception terminal may havean IC card on which an encrypted secret key unique to the receptionterminal is recorded, and the reception terminal restores a distributionsecret key by decrypting the encrypted secret key recorded on the ICcard, and decrypts distributed encrypted data using the restoreddistribution secret key, in the transmission step, the key managementcenter records the encrypted secret key generated in the encrypting steponto a new IC card, and transmits the new IC card to the receptionterminal, in the reception step, the reception terminal receives the newIC card, and in the distribution secret key updating step, the receptionterminal updates to the new distribution secret key by replacing the ICcard having been used so far with the new IC card.

[0028] With the above-described construction, the distribution secretkey is updated to the new distribution secret key by replacing the ICcard with the new IC card. This increases the level of security,compared with the case where the new encrypted secret key is transferredusing a public telephone line or the like.

[0029] The above object is also fulfilled by a reception terminal forrestoring certain data by decrypting encrypted certain data distributedfrom a distribution station, using a distribution secret key unique tothe reception terminal, the reception terminal comprising: an updatesecret key acquiring means for acquiring an update secret key prior to adata distribution; a holding means for holding an encrypted secret keywhich is generated by encrypting the distribution secret key using anupdate public key that makes a pair with the update secret key; areception means for receiving the encrypted data from the distributionstation; a distribution secret key restoring means for restoring thedistribution secret key unique to the reception terminal by decryptingthe encrypted secret key held by the holding means, using the updatesecret key acquired by the update secret key acquiring means; and a datarestoring means for restoring the certain data by decrypting theencrypted certain data using the restored distribution secret key.

[0030] With the above-described construction, it is possible to generatea distribution secret key by decrypting the encrypted secret key that isbeing held using an acquired update secret key, and obtain the certaindata by decrypting the received encrypted data using the generateddistribution secret key. This enables a system other than the receptionterminals to update the distribution secret key in so far as eachreception terminal can acquire the update secret key secretly, enablingthe system other than the reception terminals to take the initiative inupdating the pairs of distribution keys assuring a safe distribution ofthe keys.

[0031] The above reception terminal may further comprise: a new keyreceiving means for receiving a new encrypted secret key from the keymanagement center, the new encrypted secret key being generated by thekey management center by encrypting a distribution secret key using theupdate public key, the distribution secret key making a pair with adistribution public key, the pair being generated by the key managementcenter and conforming to a public key cryptosystem; and a secret keyupdating means for updating the encrypted secret key held by the holdingmeans to the new encrypted secret key.

[0032] With the above-described construction, the key management centergenerates the distribution public key and the distribution secret key,encrypts the distribution secret key using the update public key, andtransmits the new encrypted secret key. This enables the receptionterminal to receive the new encrypted secret key and updates theencrypted secret key having been used so far to the new encrypted secretkey. This enables the key management center to take the initiative inupdating the pair of distribution keys assuring a safe distribution ofthe keys.

[0033] In the above reception terminal, the new encrypted secret keyreceived by the new key receiving means may have a digital signature asa certification of the new encrypted secret key, and after the secretkey updating means updates to the new encrypted secret key, thedistribution secret key restoring means checks the digital signatureplaced on the new encrypted secret key and judges whether the newencrypted secret key has the certification, and restores anotherdistribution secret key by decrypting the new encrypted secret key ifhaving judged positively and does not restore another distributionsecret key if having judged negatively.

[0034] With the above-described construction, it is possible to judgewhether the held encrypted secret key has a certification by checkingthe digital signature placed on the encrypted secret key. This preventsthe distribution secret key from being used erroneously.

[0035] In the above reception terminal, the reception means may receive(a) an encrypted contents key generated by encrypting a contents keyusing the distribution public key unique to the reception terminal and(b) an encrypted content generated by encrypting a content using thecontents key, the data restoring means restores the contents key bydecrypting the encrypted contents key using the distribution secret keyunique to the reception terminal, and restores the content by decryptingthe encrypted content using the restored contents key.

[0036] With the above-described construction, the distribution stationdistributes to each reception terminal (a) all the encrypted contentskeys for the reception terminals generated by encrypting the content keyusing the distribution secret keys for the reception terminals and (b)an encrypted content generated by encrypting a content using the contentkey. This reduces the total amount of distributed data, and reduces theload on each apparatus in decrypting the content.

[0037] In the above reception terminal, the holding means may be an ICcard, the new key receiving means receives a new IC card on which thenew encrypted secret key is recorded, and the secret key updating meansupdates to the new encrypted secret key by replacing the IC card havingbeen used so far with the new IC card.

[0038] With the above-described construction, the distribution secretkey is updated to the new distribution secret key by replacing the ICcard with the new IC card. This increases the level of security,compared with the case where the new encrypted secret key is transferredusing a public telephone line or the like.

[0039] The above object is also fulfilled by a key management apparatus,comprising: an update public key acquiring means for acquiring, prior toa data distribution, an update public key that makes a pair with anupdate secret key held by a reception terminal; a key generating meansfor generating a pair of a distribution public key and a distributionsecret key for the reception terminal; an encrypting means forgenerating an encrypted secret key by encrypting the distribution secretkey using the update public key; a transmission means for transmittingthe encrypted secret key to the reception terminal; a distributionpublic key updating means for, after the transmission step, updating thedistribution public key having been used so far to the new distributionpublic key for use in data distribution.

[0040] With the above-described construction, the key managementapparatus generates the distribution public key and the distributionsecret key, encrypts the distribution secret key using the update publickey, and transmits the encrypted secret key. This enables the keymanagement apparatus to take the initiative in updating the pair ofdistribution keys assuring a safe distribution of the keys.

[0041] In the above key management apparatus, the encrypting means mayfurther place a digital signature on the encrypted secret key as acertification of the encrypted secret key.

[0042] With the above-described construction, the key managementapparatus places a digital signature onto the encrypted secret key. Thisenables the reception terminal to judge whether the received encryptedsecret key has a certification, thus preventing the reception terminalfrom erroneously updating to an unauthenticated distribution secret key.

[0043] In the above key management apparatus, the update public keyacquiring means may acquire a plurality of update public keys that arerespectively. unique to a plurality of reception terminals, the keygenerating means generates a plurality of pairs of a distribution publickey and a distribution secret key, each pair being unique to a differentone of the plurality of reception terminals, the encrypting meansgenerates encrypted secret keys for the plurality of reception terminalsby encrypting the distribution secret keys using the update public keysfor the plurality of reception terminals, respectively, the transmissionmeans transmits the encrypted secret keys to the corresponding receptionterminals all at once, and the distribution public key updating means,after the transmission of the encrypted secret keys, updates thedistribution public keys having been used so far to the new distributionpublic keys for the respective reception terminals.

[0044] With the above-described construction, it is possible to updatepairs of distribution keys all at once.

[0045] The above key management apparatus may further comprise: aterminal detecting means for detecting a reception terminal for whichdata distribution should be stopped; and a distribution preventing meansfor, when a reception terminal for which a data distribution should bestopped is detected by the terminal detecting means, preventing the datadistribution to the detected reception terminal.

[0046] With the above-described construction, the key managementapparatus can take the initiative in preventing distribution ofencrypted data to part of reception terminals.

[0047] The above key management apparatus may further comprise: aterminal detecting means for detecting a reception terminal for which adistribution secret key should be updated, wherein the key generatingmeans generates a new pair of a distribution public key and adistribution secret key for the reception terminal detected by theterminal detecting means, the encrypting means generates an encryptedsecret key for the detected reception terminal by encrypting the newdistribution secret key generated for the detected reception terminal,using the update public key unique to the detected reception terminal,the transmission means transmits the encrypted secret key for thedetected reception terminal to the detected reception terminal, thedistribution public key updating means, after the transmission of theencrypted secret key, updates the distribution public key having beenused so far to the new distribution public key, for the detectedreception terminal.

[0048] With the above-described construction, the key managementapparatus can take the initiative in updating the distribution secretkey for part of the reception terminals.

[0049] In the above key management apparatus, the key managementapparatus may also serve as a distribution station and furthercomprises: a distribution data generating means for generating aplurality of pieces of encrypted data respectively for the plurality ofreception terminals by encrypting certain data using distribution publickeys for the plurality of reception terminals; and a distribution meansfor distributing all the plurality of pieces of encrypted data to eachof the plurality of reception terminals.

[0050] With the above-described construction, the distribution stationcan update pairs of distribution keys all at once.

[0051] In the above key management apparatus, the distribution datagenerating means may generate a plurality of pieces of encryptedcontents keys respectively for the plurality of reception terminals byencrypting a contents key using the distribution public keys for theplurality of reception terminals, and generates encrypted contentsrespectively corresponding to the plurality of reception terminals byencrypting a content using the corresponding contents keys, and thedistribution means distributes (a) all the generated encrypted contentskeys and (b) a corresponding encrypted content to each of the pluralityof reception terminals.

[0052] With the above-described construction, the distribution stationdistributes to each reception terminal (a) all the encrypted contentskeys for the reception terminals generated by encrypting the content keyusing the distribution secret keys for the reception terminals and (b)an encrypted content generated by encrypting a content using the contentkey. This reduces the total amount of distributed data, and reduces theload on each apparatus in decrypting the content.

[0053] In the above key management apparatus, the reception terminal mayhave an IC card on which an encrypted secret key unique to the receptionterminal is recorded, and the reception terminal restores a distributionsecret key by decrypting the encrypted secret key recorded on the ICcard, and decrypts distributed encrypted data using the restoreddistribution secret key, the transmission means records the encryptedsecret key generated by the encrypting means onto a new IC card, andtransmits the new IC card to the reception terminal.

[0054] With the above-described construction, a new IC card on which anew encrypted secret key is recorded is sent to each reception terminal,and each reception terminal updates to a new distribution secret key byreplacing the IC card having been used so far with the new IC card. Thisincreases the level of security, compared with the case where the newencrypted secret key is transferred using a public telephone line or thelike.

BRIEF DESCRIPTION OF THE DRAWINGS

[0055] These and the other objects, advantages and features of theinvention will become apparent from the following description thereoftaken in conjunction with the accompanying drawings which illustrate aspecific embodiment of the invention.

[0056] In the drawings:

[0057]FIG. 1 shows the distribution system in Embodiment 1 of thepresent invention;

[0058]FIG. 2 is a flowchart showing the procedure for preparing acontents distribution;

[0059]FIG. 3 is flowchart showing a contents distribution procedure;

[0060]FIG. 4 is a flowchart showing the procedure of updating keys;

[0061]FIG. 5 shows the DVD player production system in Embodiment 2 ofthe present invention;

[0062]FIG. 6 shows the distribution system in Embodiment 2 of thepresent invention;

[0063]FIG. 7 is a flowchart showing the procedure of producing a DVDplayer;

[0064]FIG. 8 is a flowchart showing the procedure of producing a DVDdisc;

[0065]FIG. 9 is a flowchart showing the procedure of playing back a DVDdisc; and

[0066]FIG. 10 is a flowchart showing the procedure of updating an ICcard.

DESCRIPTION OF THE PREFERRED EMBODIMENT

[0067] Embodiment 1

[0068] Summary

[0069] Embodiment 1 of the present invention explains a technique foruse in a contents distribution system having one key management center,one distribution station, and a plurality of reception terminals. In thecontents distribution system, the key management center takes theinitiative in updating a pair of a public key and a secret key for eachreception terminal in a public key cryptosystem.

[0070] Prior to a contents distribution, each reception terminalgenerates a pair of an update secret key and an update public key,secretly holds the update secret key and sends the update public key tothe key management center.

[0071] The key management center, holding the update public keys sentfrom the respective reception terminals beforehand, generates a pair ofa distribution secret key and a distribution public key for eachreception terminal at the initial distribution of contents or eachupdating of keys. The distribution station uses the distribution publickey when it distributes the contents. The key management centergenerates an encrypted secret key by encrypting the generateddistribution secret key using the update public key, and sends theencrypted secret keys to each reception terminal.

[0072] Upon receiving an encrypted secret key, each reception terminalgenerates a distribution secret key by decrypting the received encryptedsecret key using the update secret key it holds, and uses thedistribution secret key to decrypt a received content.

[0073] As described above, the technique disclosed in Embodiment 1 inwhich a distribution secret key is encrypted using an update public keyand the generated encrypted secret key is sent to each receptionterminal. This technique enables the distribution secret keys withsafety and allows the key management center to take the initiative inupdating the pairs of public and secret keys for the receptionterminals.

[0074] Construction

[0075]FIG. 1 shows the distribution system in Embodiment 1 of thepresent invention.

[0076] The distribution system 100 shown in FIG. 1 includes a keymanagement center apparatus 110, a distribution station apparatus 120,and reception terminals 130, 140, and 150.

[0077] The key management center apparatus 110 manages the same keys asare respectively held by all reception terminals included in thedistribution system 100. The key management center apparatus 110includes a public key managing unit 111, a distribution key generatingunit 112, an encrypting unit 113, a transmission unit 114, a public keyupdating unit 115, an update determining unit 116, and a distributionpreventing unit 117.

[0078] The distribution station apparatus 120 generates and distributedata to each reception terminal, and includes a distribution datagenerating unit 121 and a distribution unit 122.

[0079] The reception terminal 130 receives the data from thedistribution station apparatus 120 and reproduces contents of thereceived data for the user. The reception terminal 130 includes anupdate key generating unit 131, a secret key managing unit 132, aholding unit 133, a reception unit 134, a secret key decrypting unit135, a contents decrypting unit 136, a secret key receiving unit 137,and a secret key updating unit 138.

[0080] The reception terminals 140 and 150 have similar constructions asthe reception terminal 130, and the explanation is omitted here.

[0081] The public key managing unit 111 receives from each receptionterminal an update public key unique to the reception terminal, prior toa data distribution.

[0082] The distribution key generating unit 112, when updating a key orbefore a data distribution, generates for each reception terminal a pairof a distribution public key and a distribution secret key, each ofwhich is unique to the reception terminal and conforms to a public keycryptosystem.

[0083] In the present document, it is supposed that the E1Gama1cryptosystem is used as the public key cryptosystem. For the E1Gama1cryptosystem, refer to “Modern Encryption Theory” written by Shin-ichiIkeno & Kenji Koyama and published by the Institute of Electronics,Information and Communication Engineers (IEICE).

[0084] The encrypting unit 113 generates an encrypted secret key foreach reception terminal by encrypting the distribution secret keygenerated by the distribution key generating unit 112 using the updatepublic key managed by the public key managing unit 111. The encryptingunit 113 also places a digital signature for certification of the keymanagement center apparatus 110 as the generator of the encrypted secretkey.

[0085] In the present document, it is supposed that the digitalsignatures conform to the E1Gama1 cryptosystem. For the digitalsignatures conforming to the E1Gama1 cryptosystem, refer to “ModernEncryption Theory” having been introduced earlier.

[0086] The transmission unit 114, when updating a key or before a datadistribution, transmits the encrypted secret key generated by theencrypting unit 113 to each reception terminal.

[0087] The public key updating unit 115, after the transmission unit 114transmits the encrypted secret key to each reception terminal, instructsthe distribution station apparatus 120 to use, when distributing data toeach reception terminal, the distribution public keys generated by thedistribution key generating unit 112.

[0088] The update determining unit 116 monitors the operation of eachreception terminal to detect a reception terminal for which datadistribution should be stopped or for which the distribution secret keyshould be updated. For example, the update determining unit 116 maydetermine that all distribution secret keys should be updated eitherwhen any reception terminals are abnormally operating or on a regularbasis.

[0089] It should be noted here that every distribution secret key thatis determined to be updated by the update determining unit 116 isupdated without delay by the distribution key generating unit 112,encrypting unit 113, transmission unit 114, and public key updating unit115.

[0090] The distribution preventing unit 117, when the update determiningunit 116 has detected a reception terminal for which a data distributionshould be stopped, prevents the data distribution to the detectedreception terminal in which the distribution public key is used.

[0091] The distribution data generating unit 121 generates encryptedcontents keys for each reception terminal by encrypting a contents keyconforming to the secret key cryptosystem, using each distributionpublic key for each reception terminal. The distribution data generatingunit 121 also generates an encrypted content by encrypting a content tobe distributed to each reception terminal, using the contents key.

[0092] When the distribution preventing unit 117 is preventing a datadistribution to a certain reception terminal, the distribution datagenerating unit 121 does not generate an encrypted contents key for thereception terminal.

[0093] The distribution unit 122 distributes a set of the encryptedcontent and all the encrypted contents keys generated by thedistribution data generating unit 121 to each of the receptionterminals.

[0094] The update key generating unit 131 generates a pair of an updatepublic key and an update secret key for the reception terminal 130,passes the update secret key secretly to the secret key managing unit132, and sends the update public key to the public key managing unit111, prior to a data distribution.

[0095] The secret key managing unit 132 secretly receives the updatesecret key from the update key generating unit 131, and manages thereceived update secret key.

[0096] The holding unit 133 holds an encrypted secret key that isgenerated by encrypting the distribution secret key for the receptionterminal 130 using the update public key for the reception terminal 130.

[0097] It should be noted here that digital signatures are placed on theencrypted secret keys for certification of the generator of theencrypted secret keys, the generator being the key management centerapparatus 110 in the present embodiment.

[0098] The reception unit 134 receives from the distribution stationapparatus a set of the encrypted content and all encrypted contents keysrespectively prepared for all reception terminals.

[0099] The secret key decrypting unit 135 restores the distributionsecret key by decrypting the encrypted secret key held by the holdingunit 133 using the update secret key managed by the secret key managingunit 132.

[0100] The secret key decrypting unit 135 also judges whether theencrypted secret key has been generated by the authenticated keymanagement center apparatus 110 based on the digital signature placed onthe encrypted secret key. If having judged positively, the secret keydecrypting unit 135 restores the distribution secret key for thereception terminal 130; and if having judged negatively, the secret keydecrypting unit 135 does not restore the distribution secret key for thereception terminal 130.

[0101] The contents decrypting unit 136 restores the contents key bydecrypting the encrypted contents key received by the receiving unit 134using the distribution secret key restored by the secret key decryptingunit 135. The contents decrypting unit 136 restores the content bydecrypting the encrypted content received by the receiving unit 134using the generated contents key.

[0102] The secret key receiving unit 137 of each reception terminalreceives an encrypted secret key from the transmission unit 114.

[0103] The secret key updating unit 138 allows the holding unit 133 tohold the encrypted secret key received by the secret key receiving unit137.

[0104] If the holding unit 133 has already held an encrypted secret key,the secret key updating unit 138 updates the held encrypted secret keyto the newly received encrypted secret key.

[0105] The secret key updating unit 138 judges whether the encryptedsecret key received by the secret key receiving unit 137 has beengenerated by the authenticated key management center apparatus 110 basedon the digital signature placed on the encrypted secret key. If havingjudged positively, the secret key updating unit 138 updates thedistribution secret key; and if having judged negatively, the secret keyupdating unit 138 does not update the distribution secret key.

[0106] Operation

[0107]FIG. 2 is a flowchart showing the procedure for preparing acontents distribution. Now, the procedure for preparing a contentsdistribution will be described with reference to FIG. 2.

[0108] (1) Each reception terminal generates a pair of an update publickey and an update secret key, holds the update secret key secretly, andsends the update public key to the key management center apparatus 110(step S1). For example, in the reception terminal 130, the update keygenerating unit 131 generates a pair of an update secret key IKs1 and anupdate public key IKp1, passes the update secret key IKs1 to the secretkey managing unit 132 secretly, and sends the update public key IKp1 tothe public key managing unit 111 via a general communication line or thelike not secretly. The secret key managing unit 132 secretly manages thereceived update secret key IKs1.

[0109] Similarly, the reception terminal 140 generates a pair of anupdate secret key IKs2 and an update public key IKp2, holds the updatesecret key IKs2 secretly, and sends the update public key IKp2 to thepublic key managing unit 111.

[0110] Similarly, the reception terminal 150 generates a pair of anupdate secret key IKs3 and an update public key IKp3, holds the updatesecret key IKs3 secretly, and sends the update public key IKp3 to thepublic key managing unit 111.

[0111] (2) The key management center apparatus manages the update publickeys respectively received from the reception terminals (step S2). Forexample, the public key managing unit 111 receives the update publickeys IKp1, IKp2, and IKp3 from the reception terminals 130, 140, and150, respectively, and manages the received update public keys.

[0112] (3) The key management center apparatus generates for eachreception terminal a pair of a distribution public key and adistribution secret key (step S3). For example, the distribution keygenerating unit 112 generates a pair of a distribution public key Kp1and a distribution secret key Ks1 for the reception terminal 130, a pairof a distribution public key Kp2 and a distribution secret key Ks2 forthe reception terminal 140, a pair of a distribution public key Kp3 anda distribution secret key Ks3 for the reception terminal 150.

[0113] (4) The key management center apparatus generates an encryptedsecret key for each reception terminal by encrypting the distributionsecret key using the update public key, and places a digital signature(step S4). For example, the encrypting unit 113 generates an encryptedsecret key E (IKp1,Ks1) for the reception terminal 130 by encrypting thedistribution secret key Ks1 using the update public key IKp1, generatesan encrypted secret key E (IKp2,Ks2) for the reception terminal 140 byencrypting the distribution secret key Ks2 using the update public keyIKp2, and generates an encrypted secret key E (IKp3,Ks3) for thereception terminal 150 by encrypting the distribution secret key Ks3using the update public key IKp3.

[0114] (5) The key management center apparatus transmits the encryptedsecret keys to the corresponding reception terminals (step s5). Forexample, the transmission unit 114 transmits the encrypted secret key E(IKp1,Ks1) to the reception terminal 130, the encrypted secret key E(IKp2, Ks2) to the reception terminal 140, and the encrypted secret keyE (IKp3,Ks3) to the reception terminal 150.

[0115] (6) The key management center apparatus instructs thedistribution station apparatus to use, when distributing data to eachreception terminal, the distribution public keys for each receptionterminal (step S6). For example, the key management center apparatusinstructs the distribution data generating unit 121 of the distributionstation apparatus 120 to use, when distributing data to each receptionterminal, the distribution public keys Kp1, Kp2, and Kp3.

[0116] (7) Each reception terminal receives an encrypted secret key(step S7). For example, the secret key receiving unit 137 of thereception terminal 130 receives the encrypted secret key E (IKp1,Ks1).

[0117] Similarly, the reception terminal 140 receives the encryptedsecret key E (IKp2,Ks2).

[0118] Similarly, the reception terminal 150 receives the encryptedsecret key E (IKp3,Ks3).

[0119] Each reception terminal holds the received encrypted secret key(step S8). For example, in the reception terminal 130, the secret keyupdating unit 138 allows the holding unit 133 to hold the encryptedsecret key E (IKp1,Ks1) received by the secret key receiving unit 137.

[0120] Similarly, the reception terminal 140 holds the encrypted secretkey E (IKp2,Ks2).

[0121] Similarly, the reception terminal 150 holds the encrypted secretkey E (IKp3,Ks3).

[0122]FIG. 3 is flowchart showing a contents distribution procedure.

[0123] Now, the contents distribution procedure will be described withreference to FIG. 3.

[0124] (1) The distribution station apparatus generates an encryptedcontents key for each reception terminal by encrypting a contents keyusing the distribution public key, and generates an encrypted content byencrypting a content to be distributed to each reception terminal, usingthe contents key (step S21). For example, the distribution datagenerating unit 121 generates an encrypted content C by encrypting acontent M to be distributed, using a contents key K. The distributiondata generating unit 121 also generates an encrypted contents key E(Kp1,K) for the reception terminal 130 by encrypting the contents key Kusing the distribution public key Kp1 for the reception terminal 130,generates an encrypted contents key E (Kp2,K) for the reception terminal140 by encrypting the contents key K using the distribution public keyKp2 for the reception terminal 140, and generates an encrypted contentskey E (Kp3, K) for the reception terminal 150 by encrypting the contentskey K using the distribution public key Kp3 for the reception terminal150.

[0125] (2) The distribution station apparatus distributes a set of theencrypted content and all encrypted contents keys to each receptionterminal (step S22). For example, the distribution unit 122 distributesa set of the encrypted content C and all the encrypted contents key E(Kp1,K), E (Kp2,K), and E (Kp3,K) to each of the reception terminals130, 140, and 150.

[0126] (3) Each reception terminal receives a set of the encryptedcontent and all encrypted contents keys (step S23). For example, thereception terminal 130 receives a set of the encrypted content C and allthe encrypted contents key E (Kp1,K), E (Kp2,K), and E (Kp3,K).

[0127] (4) Each reception terminal judges whether the encrypted secretkey it holds is authenticated, based on the digital signature placed onthe encrypted secret key (step S24). For example, in the receptionterminal 130, the secret key decrypting unit 135 judges whether theencrypted secret key E (IKp1,Ks1) held by the holding unit 133 isauthenticated, based on the digital signature placed on the encryptedsecret key E (IKp1,Ks1). If it is judged negatively, the content is notreproduced and the process ends.

[0128] (5) If it is judged positively in the step S24, the receptionterminal restores a distribution secret key by decrypting the encryptedsecret key using the update secret key (step S25). For example, in thereception terminal 130, the secret key decrypting unit 135 generatesa-distribution secret key Ks1 by decrypting the encrypted secret key E(IKp1,Ks1) held by the holding unit 133 using the update secret key IKs1managed by the secret key managing unit 132.

[0129] (6) Each reception terminal restores the contents key bydecrypting the received encrypted contents key using the generateddistribution secret key. The reception terminal restores the content bydecrypting the received encrypted content using the restored contentskey (step S26). For example, in the reception terminal 130, the contentsdecrypting unit 136 restores a contents key K by decrypting theencrypted contents key E (Kp1,K) received by the receiving unit 134using the distribution secret key Ks1 restored by the secret keydecrypting unit 135. The contents decrypting unit 136 restores thecontent (referred to as a content M) by decrypting the encrypted contentC received by the receiving unit 134 using the generated contents key K.

[0130]FIG. 4 is a flowchart showing the procedure of updating keys.

[0131] The procedure of updating keys will be described with referenceto FIG. 4.

[0132] (1) The key management center apparatus 110 monitors theoperation of each reception terminal to detect a reception terminal forwhich the distribution secret key should be updated (step S31). Forexample, the update determining unit 116 determines that thedistribution secret keys for the reception terminals 130, 140, and 150should be updated.

[0133] (2) The key management center apparatus 110 generates, for eachreception terminal, a pair of a distribution public key and adistribution secret key (step S32). For example, the distribution keygenerating unit 112 generates a pair of a distribution public key Kp11and a distribution secret key Ks11 for the reception terminal 130, apair of a distribution public key Kp12 and a distribution secret keyKs12 for the reception terminal 140, and a pair of a distribution publickey Kp13 and a distribution secret key Ks13 for the reception terminal150.

[0134] (3) The key management center apparatus 110 generates anencrypted secret key for each reception terminal by encrypting thedistribution secret key generated for each reception terminal, using theupdate public key for each reception terminal, and places a digitalsignature on the generated encrypted secret key (step S33). For example,the encrypting unit 113 generates an encrypted secret key E (IKp1,Ks11)for the reception terminal 130 by encrypting the distribution secret keyKs11 using the update public key IKp1, an encrypted secret key E(IKp2,Ks12) for the reception terminal 140 by encrypting thedistribution secret key Ks12 using the update public key IKp2, and anencrypted secret key E (IKp3,Ks13) for the reception terminal 150 byencrypting the distribution secret key Ks13 using the update public keyIKp3.

[0135] (4) The key management center apparatus 110 transmits theencrypted secret keys to respective reception terminals (step S34). Forexample, the transmission unit 114 transmits the encrypted secret key E(IKp1,Ks11) to the reception terminal 130, the encrypted secret key E(IKp2,Ks12) to the reception terminal 140, and the encrypted secret keyE (IKp3,Ks13) to the reception terminal 150.

[0136] (5) The key management center apparatus 110 instructs thedistribution station apparatus 120 to use, when distributing contents toeach reception terminal, all the distribution public keys for all thereception terminals (step S35). For example, the key management centerapparatus 110 instructs the distribution data generating unit 121 of thedistribution station apparatus 120 to use all of the distribution publickeys Kp11, Kp12, and Kp13 when distributing contents to each receptionterminal.

[0137] (6) Each reception terminal receives an encrypted secret key(step S36). For example, the reception terminal 130 receives theencrypted secret key E (IKp1,Ks11).

[0138] Similarly, the reception terminal 140 receives the encryptedsecret key E (IKp2,Ks12).

[0139] Similarly, the reception terminal 150 receives the encryptedsecret key E (IKp3,Ks13).

[0140] (7) Each reception terminal updates the held encrypted secret keyto the newly received encrypted secret key (step S37). For example, inthe reception terminal 130, the secret key updating unit 138 updates theencrypted secret key E (IKp1,Ks1) held by the holding unit 133 to theencrypted secret key E (IKp1,Ks11) received by the secret key receivingunit 137.

[0141] Similarly, the reception terminal 140 updates the encryptedsecret key E (IKp2,Ks2) to the encrypted secret key E (IKp2,Ks12).

[0142] Similarly, the reception terminal 150 updates the encryptedsecret key E (IKp3,Ks3) to the encrypted secret key E (IKp3,Ks13).

[0143] It should be noted here that the key management center apparatusand the distribution station apparatus may be incorporated in oneapparatus.

[0144] As described above, Embodiment 1 of the present invention enablesa distribution station or a key management center to take the initiativein updating a pair of a public key and a secret key for each receptionterminal in a public key cryptosystem.

[0145] Embodiment 2

[0146] Summary

[0147] Embodiment 2 of the present invention explains a technique forallowing a key management center to take the initiative in updatingpairs of distribution keys in a DVD disc distribution system thatincludes a device maker, a DVD player, the key management center, an ICcard, a contents maker, a disc producer, and a DVD disc.

[0148] When producing a DVD player, the device maker generates a pair ofan initial secret key and an initial public key that is unique to theDVD player, has the DVD player hold the initial secret key secretly, andsends the initial public key to the key management center.

[0149] The key management center registers the received initial publickey in correspondence with the DVD player with the database, generates apair of a distribution secret key and a distribution public key for theDVD player, registers the generated distribution public key with thedatabase so that it can be used by the disc producer in producing a DVDdisc, generates an encrypted secret key by encrypting the generateddistribution secret key using the initial public key, and sends theencrypted secret key to the device maker.

[0150] The device maker records the received encrypted secret key ontoan IC card, and sells the IC card together with the DVD player.

[0151] When judging that the keys should be updated after the DVD dischas been distributed, the key management center newly generates a pairof a distribution secret key and a distribution public key for the DVDplayer, updates the distribution public key having been registered withthe database to the newly generated distribution public key, newlygenerates an encrypted secret key by encrypting the newly generateddistribution secret key using the initial public key having beenregistered with the database, records the newly generated encryptedsecret key onto a new IC card, and transfers the new IC card to the DVDplayer.

[0152] The contents user using the DVD player receives the new IC card,replaces the former IC card with the new one, and uses the new one toplay back DVD discs distributed thereafter.

[0153] As described above, in the system disclosed in Embodiment 2, anIC card containing an encrypted secret key is transferred safely. Thistechnique enables the key management center to take the initiative inupdating pairs of distribution keys.

[0154] Construction

[0155]FIG. 5 shows the DVD player production system in Embodiment 2 ofthe present invention.

[0156] The production system 200 shown in FIG. 5 includes a playerproduction apparatus 210, a DVD player 220, an IC card 230, a keymanagement center apparatus 240.

[0157] The player production apparatus 210 is an apparatus by which adevice maker produces the DVD player 220. The player productionapparatus 210 includes an initial key generating unit 211, a key writingunit 212, a public key transferring unit 213, and an IC card recordingunit 214.

[0158] The DVD player 220 is an apparatus with which a contents userplays back the DVD disc. The DVD player 220 includes a secret keyrecording unit 221.

[0159] The IC card 230 is a semiconductor recording medium. Whenproducing the DVD player, the production system 200 inserts the IC card230 into the player production apparatus 210 and writes necessary dataonto the IC card 230. The IC card 230 with the data is sold incombination with the DVD player 220. It is required for the contentsuser to insert the IC card into a dedicated slot of the DVD player 220when playing back a DVD disc.

[0160] The key management center apparatus 240 is an apparatus used in akey management center to manage keys for all DVD players included in adistribution system. The key management center apparatus 240 includes aninitial public key registration unit 241, a distribution key generatingunit 242, a secret key encrypting unit 243, a transmission unit 244, adistribution public key registration unit 245, an initial public keydatabase 246, and a distribution public key database 247.

[0161] The initial key generating unit 211 generates a pair of aninitial secret key and an initial public key for each DVD player 220.

[0162] The key writing unit 212 writes the initial secret key generatedby the initial key generating unit 211 onto the secret key recordingunit 221.

[0163] The public key transferring unit 213 transfers the initial publickey generated by the initial key generating unit 211 to the initialpublic key registration unit 241 by means of offline.

[0164] The IC card recording unit 214 acquires an encrypted secret keyfrom the transmission unit 244 and records the encrypted secret key ontothe IC card 230.

[0165] The secret key. recording unit 221 secretly holds the initialsecret key written by the key writing unit 212.

[0166] The initial public key registration unit 241 receives the initialpublic key from the public key transferring unit 213 and registers thereceived initial public key with the initial public key database 246.

[0167] The distribution key generating unit 242, when a certain DVDplayer is produced or when keys are updated, generates a pair of adistribution secret key and a distribution public key that is unique tothe certain DVD player.

[0168] The secret key encrypting unit 243 generates an encrypted secretkey for the certain DVD player by encrypting the distribution secret keyusing an initial public key for the certain DVD player registered withthe initial public key database 246, and also places a digital signaturefor certification of the key management center apparatus 240 as thegenerator of the encrypted secret key.

[0169] The transmission unit 244, when the certain DVD player isproduced, transmits the encrypted secret key generated by the secret keyencrypting unit 243 to the certain DVD player.

[0170] The distribution public key registration unit 245, after thetransmission unit 244 transmits the encrypted secret key to the certainDVD player, or after a new IC card generating unit 344 (which will bedescribed later) generates and transmits anew IC card to the certain DVDplayer, registers the distribution public key generated by thedistribution key generating unit 242 with the distribution public keydatabase 247.

[0171] The initial public key database 246 stores, for each DVD player,initial public keys registered by the initial public key registrationunit 241.

[0172] The distribution public key database 247 stores, for each DVDplayer, distribution public keys registered by the distribution publickey registration unit 245.

[0173]FIG. 6 shows the distribution system in Embodiment 2 of thepresent invention.

[0174] The distribution system 300 shown in FIG. 6 includes the DVDplayer 220, an IC card 330, the key management center apparatus 240, acontents maker apparatus 350, a disc producing apparatus 360, and a DVDdisc 370.

[0175] The DVD player 220 further includes a secret key decrypting unit321, a contents key decrypting unit 322, a contents decrypting unit 323,and an IC card updating unit 324, as well as the secret key recordingunit 221.

[0176] The IC card 330 is a semiconductor recording medium. Whenupdating keys, the distribution system 300 inserts the IC card 330 intoa dedicated slot of the key management center apparatus 240 and writesnecessary data onto the IC card 330. It is required for the contentsuser to insert the IC card into a dedicated slot of the DVD player 220when playing back a DVD disc.

[0177] The key management center apparatus 240 further includes acontents key encrypting unit 341, an update determining unit 342,registration deleting unit 343, and a new IC card generating unit 344,as well as the initial public key registration unit 241, distributionkey generating unit 242, secret key encrypting unit 243, transmissionunit 244, distribution public key registration unit 245, initial publickey database 246, and distribution public key database 247.

[0178] The contents maker apparatus 350 is an apparatus used by acontents maker to provide contents and contents keys. The contents makerapparatus 350 includes a contents key management unit 351 and a contentsmanagement unit 352.

[0179] The disc producing apparatus 360 is used by a disc producer toproduce the DVD disc 370. The disc producing apparatus 360 includes acontents key transfer unit 361, a contents key encrypting unit 362, anencrypted contents key transfer unit 363, and a producing unit 364.

[0180] The DVD disc 370 is an optical recording medium produced by thedisc producer using the disc producing apparatus 360 and played back bythe contents user using. the DVD player 220.

[0181] The secret key decrypting unit 321, when the DVD disc is playedback, reads the encrypted secret key from the IC card 230 or 330inserted in the dedicated slot of the DVD player, and restores thedistribution secret key by decrypting the encrypted secret key using theinitial secret key held by the secret key recording unit 221.

[0182] The secret key decrypting unit 321 also judges whether theencrypted secret key has been generated by the authenticated keymanagement center apparatus 240 based on the digital signature placed onthe encrypted secret key. If having judged positively, the secret keydecrypting unit 321 restores the distribution secret key for the DVDplayer 220; and if having judged negatively, the secret key decryptingunit 321 does not restore the distribution secret key for the DVD player220.

[0183] The contents key decrypting unit 322, when the DVD disc is playedback, restores the contents key by decrypting the encrypted contents keyfor the DVD player 220 recorded on the DVD disc 370 using thedistribution secret key restored by the secret key decrypting unit 321.

[0184] The contents decrypting unit 323 restores the content bydecrypting the encrypted content recorded on the DVD disc 370 using thecontents key restored by the contents key decrypting unit 322.

[0185] The IC card updating unit 324 receives the IC card 330 from thenew IC card generating unit 344, and after receiving the IC card 330,inserts the IC card 330 into the dedicated slot of the DVD player 220and prepares for the succeeding playback of DVD discs.

[0186] The contents key encrypting unit 341, when DVD discs areproduced, receives from the contents key transfer unit 361 the contentskeys to be used for the production of the DVD discs, generates encryptedcontents keys for each DVD player by encrypting the received contentskeys using each distribution public key for all the currently effectiveDVD players registered with the distribution public key database 247,and sends the generated encrypted contents keys to the encryptedcontents key transfer unit 363.

[0187] The update determining unit 342 monitors the operation of eachDVD player to detect a DVD player which should be prevented from playingback a DVD disc or for which the distribution secret key should beupdated. For example, the update determining unit 342 may determine thatall distribution secret keys should be updated either when any DVDplayers are abnormally operating or on a regular basis.

[0188] It should be noted here that every distribution secret key thatis determined to be updated by the update determining unit 342 isupdated without delay by the distribution key generating unit 242,secret key encrypting unit 243, and distribution public. keyregistration unit 245 after the new IC card generating unit 344transmits anew IC card to a corresponding DVD player.

[0189] The registration deleting unit 343 deletes a distribution publickey from the distribution public key database 247 after a correspondingDVD player is detected by the update determining unit 342 as a DVDplayer to be prevented from playing back a DVD disc.

[0190] The new IC card generating unit 344, when keys for a certain DVDplayer are updated, generates a new IC card 330 by recording theencrypted secret key for the certain DVD player generated by the secretkey encrypting unit 243 onto a new IC card, and transmits the generatednew IC card 330 to the corresponding DVD player.

[0191] The contents key management unit 351 manages contents keys, andprovides the disc producing apparatus 360 with currently effectivecontents keys.

[0192] The contents management unit 352 manages contents, and providesthe disc producing apparatus 360 with contents to be distributed.

[0193] The contents key transfer unit 361 receives contents keys fromthe contents key management unit 351 and sends the received contentskeys to the contents key encrypting unit 341.

[0194] The contents encrypting unit 362 receives a content from thecontents management unit 352, receives a contents key from the contentskey transfer unit 361, generates an encrypted content by encrypting thereceived content using the received contents key, and sends thegenerated encrypted content to the producing unit 364.

[0195] The encrypted contents key transfer unit 363 receives encryptedcontents keys for each DVD player from the contents key encrypting unit341, and sends the received encrypted contents keys to the producingunit 364.

[0196] The producing unit 364 produces a DVD disc 370 by recording ontoan optical disc the encrypted content received from the contentsencrypting unit 362 and the encrypted contents key for each DVD playerreceived from the encrypted contents key transfer unit 363.

[0197] Operation

[0198]FIG. 7 is a flowchart showing the procedure of producing a DVDplayer.

[0199] Now, the procedure of producing a DVD player will be describedwith reference to FIG. 7.

[0200] (1) When the device maker produces a certain DVD player 220, theinitial key generating unit 211 generates a pair of an initial secretkey and an initial public key for the certain DVD player 220 (step S41).

[0201] (2) The key writing unit 212 of the device maker writes theinitial secret key for the certain DVD player 220 onto the secret keyrecording unit 221 (step S42).

[0202] (3) The public key transferring unit 213 of the device makertransfers the initial public key to the initial public key registrationunit 241 of the key management center (step S43).

[0203] (4) The initial public key registration unit 241 of the keymanagement center registers the received initial public key for thecertain DVD player 220 with the initial public key database 246 (stepS44).

[0204] (5) The distribution key generating unit 242 of the keymanagement center generates a pair of a distribution secret key and adistribution public key for the certain DVD player 220 (step S45).

[0205] (6) The secret key encrypting unit 243 of the key managementcenter generates an encrypted secret key for the certain DVD player byencrypting the generated distribution secret key using an initial publickey for the certain DVD player 220 registered with the initial publickey database 246, and also places a digital signature onto the encryptedsecret key (step S46).

[0206] (7) The transmission unit 244 of the key management centertransmits the generated encrypted secret key to the certain DVD player220 (step S47).

[0207] (8) The distribution public key registration unit 245 of the keymanagement center registers the distribution public key for the certainDVD player 220 with the distribution public key database 247 (step S48).

[0208] The IC card recording unit 214 of the device maker receives fromthe transmission unit 244 the encrypted secret key for the certain DVDplayer 220 on which a digital signature is placed, records the encryptedsecret key onto an IC card 230, and ships the IC card 230 together withthe certain DVD player 220 (step S49)

[0209]FIG. 8 is a flowchart showing the procedure of producing a DVDdisc.

[0210] Now, the procedure of producing a DVD disc will be described withreference to FIG. 8.

[0211] (1) The contents key management unit 351 and the contentsmanagement unit 352 of the contents maker provide the disc producingapparatus 360 with currently effective contents keys and contents to bedistributed, respectively (step S51).

[0212] (2) The contents key transfer unit 361 of the disc producerreceives contents keys from the contents key management unit 351 andsends the received contents keys to the contents key encrypting unit 341(step S52).

[0213] (3) The contents key encrypting unit 341 of the key managementcenter receives the contents keys from the contents key transfer unit361, generates encrypted contents keys for each DVD player by encryptingthe received contents keys using each distribution public key for allthe currently effective DVD players registered with the distributionpublic key database 247, and sends the generated encrypted contents keysto the encrypted contents key transfer unit 363 (step S53).

[0214] (4) The encrypted contents key transfer unit 363 of the discproducer receives the encrypted contents keys for each DVD player fromthe contents key encrypting unit 341, and sends the received encryptedcontents keys to the producing unit 364 (step S54).

[0215] (5) The contents encrypting unit 362 of the disc producerreceives a content from the contents management unit 352, receives thecontents keys from the contents key transfer unit 361, generatesencrypted contents by encrypting the received content using the receivedcontents key, and sends the generated encrypted contents to theproducing unit 364 (step S55).

[0216] The producing unit 364 of the disc producer produces a DVD disc370 by recording onto an optical disc the encrypted content receivedfrom the contents encrypting unit 362 and the encrypted contents key foreach DVD player received from the encrypted contents key transfer unit363 (step S56).

[0217]FIG. 9 is a flowchart showing the procedure of playing back a DVDdisc.

[0218] Now, the procedure of playing back a DVD disc will be describedwith reference to FIG. 9.

[0219] (1) The contents user inserts the IC card 230 or 330 into adedicated slot of the DVD player 220, and inserts the DVD disc 370 intoa dedicated slot of the DVD player 220 (step S61).

[0220] (2) The secret key decrypting unit 321 reads the encrypted secretkey from the IC card 230 or 330 inserted in the dedicated slot of theDVD player, and judges whether the encrypted secret key has acertification based on the digital signature placed on the encryptedsecret key (step S62). If it is judged negatively in step S62, theprocess ends without playing back the DVD disc.

[0221] (3) If it is judged positively in step S62, the secret keydecrypting unit 321 restores the distribution secret key for the DVDplayer 220 by decrypting the encrypted secret key using the initialsecret key held by the secret key recording unit 221 (step S63).

[0222] (4) The contents key decrypting unit 322 restores the contentskey by decrypting the encrypted contents key for the DVD player 220recorded on the DVD disc 370 using the distribution secret key restoredby the secret key decrypting unit 321 (step S64).

[0223] (5) The contents decrypting unit 323 restores the content bydecrypting the encrypted content recorded on the DVD disc 370 using thecontents key restored by the contents key decrypting unit 322 (stepS65).

[0224]FIG. 10 is a flowchart showing the procedure of updating an ICcard.

[0225] Now, the procedure of updating an IC card will be described withreference to FIG. 10.

[0226] (1) The update determining unit 342 of the key management centermonitors the operation of each DVD player to detect a DVD player whichshould be prevented from playing back a DVD disc or for which thedistribution secret key should be updated. In this example, it ispresumed that the update determining unit 342 determines that thedistribution secret key for the DVD player 220 should be updated (stepS71).

[0227] (2) The distribution key generating unit 242 of the keymanagement center generates a pair of a distribution secret key and adistribution public key that is unique to the DVD player 220 (step S72).

[0228] (3) The secret key encrypting unit 243 of the key managementcenter generates an encrypted secret key by encrypting the distributionsecret key generated for the DVD player 220 using an initial public keyfor the DVD player 220 registered with the initial public key database246, and also places a digital signature onto the encrypted secret key(step .S73).

[0229] (4) The new IC card generating unit 344 of the key managementcenter generates a new IC card 330 by recording the encrypted secret keyfor the DVD player 220 onto a new IC card, and transmits the generatednew IC card 330 to the DVD player 220 (step S74).

[0230] (5) The IC card updating unit 324 of the DVD player 220 receivesthe IC card 330 from the new IC card generating unit 344, and afterreceiving the IC card 330, inserts the IC card 330 into the dedicatedslot of the DVD player 220 and prepares for the succeeding playback ofDVD discs (step S75).

[0231] It should be noted here that the key management center apparatusand the disc producing apparatus may be incorporated in one apparatus.

[0232] As described above, Embodiment 2 of the present invention enablesa key management center to take the initiative in updating a pair of apublic key and a secret key.

[0233] Though it is supposed in Embodiments 1 and 2 that the E1Gama1cryptosystem is used as the public key cryptosystem, any other publickey cryptosystems may be used instead.

[0234] Though it is supposed in Embodiments land2 that the digitalsignatures used to authenticate the encrypted secret keys provided froma key management center conform to the E1Gama1 cryptosystem, the digitalsignatures may conform to any other cryptosystems in so far as they cancertify the authenticity of the encrypted secret keys.

[0235] In Embodiments 1 and 2, the encrypted secret keys, encryptedcontents keys, encrypted contents or the like may be transferred viacommunication paths, or removable and movable recording mediums such asfloppy discs, CD, MO, DVD, and memory cards, or any other means that cantransfer encrypted contents.

[0236] In Embodiments 1 and 2, a plurality of key management centers maybe provided. Each key management center may separately manage theencrypted keys, and each reception terminal or each DVD player maymanage the encrypted keys for each key management center.

[0237] Although the present invention has been fully described by way ofexamples with reference to the accompanying drawings, it is to be notedthat various changes and modifications will be apparent to those skilledin the art. Therefore, unless such changes and modifications depart fromthe scope of the present invention, they should be. construed as beingincluded therein.

What is claimed is:
 1. A method, for use in a data distribution systemhaving a key management center, a distribution station, and a receptionterminal, for updating a pair of a distribution public key and adistribution secret key which conform to a public key cryptosystem andare both unique to the reception terminal, the distribution public keybeing used to encrypt data to be distributed to the reception terminal,the distribution secret key being used to decrypt the distributedencrypted data, the method comprising: an update secret key acquiringstep in which the reception terminal acquires an update secret key priorto a data distribution; an update public key acquiring step in which thekey management center acquires an update public key that makes a pairwith the update secret key, prior to the data distribution; a keygenerating step in which the key management center generates a new pairof a distribution public key and a distribution secret key for thereception terminal; an encrypting step in which the key managementcenter generates an encrypted secret key by encrypting the newdistribution secret key using the update public key; a transmission stepin which the key management center transmits the encrypted secret key tothe reception terminal; a distribution public key updating step inwhich, after the transmission step, the key management center updatesthe distribution public key having been used so far by the distributionstation in data distributions to the new distribution public key; areception step in which the reception terminal receives the encryptedsecret key; and a distribution secret key updating step in which thereception terminal restores the new distribution secret key as necessaryby decrypting the encrypted secret key using the update secret key, andupdates the distribution secret key having been used so far to therestored new distribution secret key.
 2. The key updating method ofclaim 1, wherein in the encrypting step, the key management centerfurther places a digital signature on the encrypted secret key as acertification of the encrypted secret key, and. in the distributionsecret key updating step, the reception terminal checks the digitalsignature placed on the encrypted secret key and judges whether theencrypted secret key has the certification, and updates to the newdistribution secret key if having judged positively and does not updateif having judged negatively.
 3. The key updating method of claim 1,wherein the data distribution system has a plurality of receptionterminals, a plurality of pairs of a distribution public key and adistribution secret key are prepared for the plurality of receptionterminals, respectively and uniquely, each distribution public key isused to encrypt data to be distributed to a corresponding receptionterminal, each distribution secret key is used by a correspondingreception terminal to decrypt distributed encrypted data, in the updatesecret key acquiring step, each reception terminal acquires acorresponding update secret key, in the update public key acquiringstep, the key management center acquires a plurality of update publickeys that make pairs with the plurality of update secret keys,respectively, in the key generating step, the key management centergenerates a plurality of new pairs of a distribution public key and adistribution secret key, each new pair being unique to a different oneof the plurality of reception terminals, in the encrypting step, the keymanagement center generates encrypted secret keys for the plurality ofreception terminals by encrypting the new distribution secret keys usingthe update public keys for the plurality of reception terminals,respectively, in the transmission step, the key management centertransmits the encrypted secret keys to the corresponding receptionterminals all at once, in the distribution public key updating step,after the transmission step, the key management center updates thedistribution public keys for the plurality of reception terminals havingbeen used so far by the distribution station in data distributions tothe new distribution public keys; in the reception step, each receptionterminal receives a corresponding encrypted secret key, and in thedistribution secret key updating step, each reception terminal restoresthe corresponding new distribution secret key as necessary by decryptingthe corresponding encrypted secret key using the corresponding updatesecret key, and updates the distribution secret key having been used sofar to the restored new distribution secret key.
 4. The key updatingmethod of claim 3 further comprising: a terminal detecting step in whichthe distribution station detects a reception terminal for which datadistribution should be stopped; and a distribution preventing step inwhich, when a reception terminal for which data distribution should bestopped is detected in the terminal detecting step, the distributionstation prevents data distribution to the detected reception terminal.5. The key updating method of claim 3 further comprising a terminaldetecting step in which the distribution station detects a receptionterminal for which a distribution secret key should be updated, whereinin the key generating step, the key management center generates a newpair of a distribution public key and a distribution secret key for thereception terminal detected in the terminal detecting step, in theencrypting step, the key management center generates an encrypted secretkey for the detected reception terminal by encrypting the newdistribution secret key generated for the detected reception terminal,using the update public key unique to the detected reception terminal,in the transmission step, the key management center transmits theencrypted secret key for the detected reception terminal to the detectedreception terminal, in the distribution public key updating step, afterthe transmission step, the key management center updates thedistribution public key having been used so far by the distributionstation in data distributions to the detected reception terminal, to thenew distribution public key, and in the distribution secret key updatingstep, the detected reception terminal restores the new distributionsecret key as. necessary by decrypting the encrypted secret key usingthe update secret key, and updates the distribution secret key havingbeen used so far to the restored new distribution secret key.
 6. The keyupdating method of claim 3, wherein the distribution station generatesencrypted contents keys respectively corresponding to the plurality ofreception terminals by encrypting a contents key conforming to a secretkey cryptosystem using the distribution public keys respectivelycorresponding to the plurality of reception terminals, generatesencrypted contents respectively corresponding to the plurality ofreception terminals by encrypting a content using the correspondingcontents keys, and distributes (a) all the generated encrypted contentskeys and (b) a corresponding encrypted content to each of the pluralityof reception terminals, wherein each reception terminal restores eachcontents key by decrypting each encrypted contents key among thedistributed encrypted contents keys using each distribution secret keyfor each reception terminal, and restores the content by decrypting eachcorresponding encrypted content using each restored contents key.
 7. Thekey updating method of claim 1, wherein the reception terminal has an ICcard on which an encrypted secret key unique to the reception terminalis recorded, and the reception terminal restores a distribution secretkey by decrypting the encrypted secret key recorded on the IC card, anddecrypts distributed encrypted data using the restored distributionsecret key, in the transmission step, the key management center recordsthe encrypted secret key generated in the encrypting step onto a new ICcard, and transmits the new IC card to the reception terminal, in thereception step, the reception terminal receives the new IC card, and inthe distribution secret key updating step, the reception terminalupdates to the new distribution secret key by replacing the IC cardhaving been used so far with the new IC card.
 8. A reception terminalfor restoring certain data by decrypting encrypted certain datadistributed from a distribution station, using a distribution secret keyunique to the reception terminal, the reception terminal comprising: anupdate secret key acquiring means for acquiring an update secret keyprior to a data distribution; a holding means for holding an encryptedsecret key which is generated by encrypting the distribution secret keyusing an update public key that makes a pair with the update secret key;a reception means for receiving the encrypted data from the distributionstation; a distribution secret key restoring means for restoring thedistribution secret key unique to the reception terminal by decryptingthe encrypted secret key held by the holding means, using the updatesecret key acquired by the update secret key acquiring means; and a datarestoring means for restoring the certain data by decrypting theencrypted certain data using the restored distribution secret key. 9.The reception terminal of claim 8 further comprising: a new keyreceiving means for receiving a new encrypted secret key from the keymanagement center, the new encrypted secret key being generated by thekey management center by encrypting a distribution secret key using theupdate public key, the distribution secret key making a pair with adistribution public key, the pair being generated by the key managementcenter and conforming to a public key cryptosystem; and a secret keyupdating means for updating the encrypted secret key held by the holdingmeans to the new encrypted secret key.
 10. The reception terminal ofclaim 9, wherein the new encrypted secret key received by the new keyreceiving means has a digital signature as a certification of the newencrypted secret key, and after the secret key updating means updates tothe new encrypted secret key, the distribution secret key restoringmeans checks the digital signature placed on the new encrypted secretkey and judges whether the new encrypted secret key has thecertification, and restores another distribution secret key bydecrypting the new encrypted secret key if having judged positively anddoes not restore another distribution secret key if having judgednegatively.
 11. The reception terminal of claim 9, wherein the receptionmeans receives (a) an encrypted contents key generated by encrypting acontents key using the distribution public key unique to the receptionterminal and (b) an encrypted content generated by encrypting a contentusing the contents key, the data restoring means restores the contentskey by decrypting the encrypted contents key using the distributionsecret key unique to the reception terminal, and restores the content bydecrypting the encrypted content using the restored contents key. 12.The reception terminal of claim 9, wherein the holding means is an ICcard, the new key receiving means receives a new IC card on which thenew encrypted secret key is recorded, and the secret key updating meansupdates to the new encrypted secret key by replacing the IC card havingbeen used so far with the new IC card.
 13. A key management apparatus,comprising: an update public key acquiring means for acquiring, prior toa data distribution, an update public key that makes a pair with anupdate secret key held by a reception terminal; a key generating meansfor generating a pair of a distribution public key and a distributionsecret key for the reception terminal; an encrypting means forgenerating an encrypted secret key by encrypting the distribution secretkey using the update public key; a transmission means for transmittingthe encrypted secret key to the reception terminal; a distributionpublic key updating means for, after the transmission step, updating thedistribution public key having been used so far to the new distributionpublic key for use in data distribution.
 14. The key managementapparatus of claim 13, wherein the encrypting means further places adigital signature on the encrypted secret key as a certification of theencrypted secret key.
 15. The key management apparatus of claim 13,wherein the update public key acquiring means acquires a plurality ofupdate public keys that are respectively unique to a plurality ofreception terminals, the key generating means generates a plurality ofpairs of a distribution public key and a distribution secret key, eachpair being unique to a different one of the plurality of receptionterminals, the encrypting means generates encrypted secret keys for theplurality of reception terminals by encrypting the distribution secretkeys using the update public keys for the plurality of receptionterminals, respectively, the transmission means transmits the encryptedsecret keys to the corresponding reception terminals all at once, andthe distribution public key updating means, after the transmission ofthe encrypted secret keys, updates the distribution public keys havingbeen used so far to the new distribution public keys for the respectivereception terminals.
 16. The key management apparatus of claim 15further comprising: a terminal detecting means for detecting a receptionterminal for which data distribution should be stopped; and adistribution preventing means for, when a reception terminal for which adata distribution should be stopped is detected by the terminaldetecting means, preventing the data distribution to the detectedreception terminal.
 17. The key management apparatus of claim 15 furthercomprising: a terminal detecting means for detecting a receptionterminal for which a distribution secret key should be updated, whereinthe key generating means generates a new pair of a distribution publickey and a distribution secret key for the reception terminal detected bythe terminal detecting means, the encrypting means generates anencrypted secret key for the detected reception terminal by encryptingthe new distribution secret key generated for the detected receptionterminal, using the update public key unique to the detected receptionterminal, the transmission means transmits the encrypted secret key forthe detected reception terminal to the detected reception terminal, thedistribution public key updating means, after the transmission of theencrypted secret key, updates the distribution public key having beenused so far to the new distribution public key, for the detectedreception terminal.
 18. The key management apparatus of claim 15,wherein the key management apparatus also serves as a distributionstation and further comprises: a distribution data generating means forgenerating a plurality of pieces of encrypted data respectively for theplurality of reception terminals by encrypting certain data usingdistribution public keys for the plurality of reception terminals; and adistribution means for distributing all the plurality of pieces ofencrypted data to each of the plurality of reception terminals.
 19. Thekey management apparatus of claim 18, wherein the distribution datagenerating means generates a plurality of pieces of encrypted contentskeys respectively for the plurality of reception terminals by encryptinga contents key using the distribution public keys for the plurality ofreception terminals, and generates encrypted contents respectivelycorresponding to the plurality of reception terminals by encrypting acontent using the corresponding contents keys, and the distributionmeans distributes (a) all the generated encrypted contents keys and (b)a corresponding encrypted content to each of the plurality of receptionterminals.
 20. The key management apparatus of claim 13, wherein thereception terminal has an IC card on which an encrypted secret keyunique to the reception terminal is recorded, and the reception terminalrestores a distribution secret key by decrypting the encrypted secretkey recorded on the IC card, and decrypts distributed encrypted datausing the restored distribution secret key, the transmission meansrecords the encrypted secret key generated by the encrypting means ontoa new IC card, and transmits the new IC card to the reception terminal.